Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
4
Replies

Cisco ise profiling

Go to solution
munish.dhiman1
Level 1
Level 1

‎06-02-2019 03:19 AM - edited ‎02-21-2020 11:06 AM

Hi,

Trying to understand the profiling behaviour,could you please correct me if my understanding is incorrect.

 

IP phone connects to the network and get profiled by ise and refects in endpoint repository.now i moved the mac adress data base to a new folder and create a  authorizastion policy.

now i disconnect the ip phone and reconnect,will it get again reprofiled by plus license and show in endpoint repository or ise will skip the profiling 2nd time and just enforce the authorization policy.

regards,

md

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-03-2019 05:47 AM

Just to clarify a few things here is an overview:
ISE collects attributes from device sensors (NADs). The attributes are used to profile your devices. There are several probes you can use (Radius, IP, DNS, Radius, etc.). The only time a plus license gets consumed in regard to profiling is if you use the profiled endpoint group as a authz condition in your policies. Re-profiling could occur if there has been a change or if you have enabled new profiles with different MCFs that your devices may match to depending on how they are setup. Good luck & HTH!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-03-2019 05:47 AM

Just to clarify a few things here is an overview:
ISE collects attributes from device sensors (NADs). The attributes are used to profile your devices. There are several probes you can use (Radius, IP, DNS, Radius, etc.). The only time a plus license gets consumed in regard to profiling is if you use the profiled endpoint group as a authz condition in your policies. Re-profiling could occur if there has been a change or if you have enabled new profiles with different MCFs that your devices may match to depending on how they are setup. Good luck & HTH!
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-03-2019 10:12 AM

this was brought up before and pointed to a possible defect depending on your release. please make sure you're running latest patch and if still a problem check through the TAC as well
0 Helpful

Go to solution
munish.dhiman1
Level 1
Level 1
In response to Jason Kunst

‎06-03-2019 11:19 AM

Jason,

This is not an issue, however trying to understand the expected behavior. As per the process ,ise process a request in following order

Profiling___authntication_____posture____than enforcement/authorization...
So if i move the profiled endpoint from known endpoint folder to any other folder ,and when next time same endpoint connects to the network ,will it show as unknown and ise will profil it again before authentication?
Reason of asking this :
1. Well ,I have a MAB policy and authorization is based on OUI (aa:cc:dd).After MAB ,device is checked for the OUI configured in the policy and access provided.
How can I detect Mac spoofing in this case and send coa?

2. I am thinking of using a combination of something like this. "If a mac start from aa:bb:cc and found in folder ABC ---provide vlans10.
But Now if someone spoofs the mac address he will also get full access.beacuse it's the same mac or starts with same oui. How can we prevent this,how profiling/plus license makes a difference here?

BR,
MD
0 Helpful
Customers Also Viewed These Support Documents